Living in a Secure Container Down by the River
Offered By: YouTube
Course Description
Overview
Syllabus
Living in a Secure Container, Down
In the Beginning
Spoiler: Containers Aren't Sandboxes
Isolating Container Workloads, IRL
The Gateway Drug
Container Isolation Models Via cgroups & namespaces Docker, Rkt, LXC
Open Container Initiative (OCI) Spec • Defines image and runtime attributes
Control Groups & Namespaces By UID, GID, PID
gVisor User-space Kernel
Kata Containers + Hypervisor Previously Intel Clear Containers Container runtime executes within a true hypervisor Provides an extra layer of isolation between the container and host OS
Implementation Flaw - Account Reuse By default, K8s uses the namespace default service account if you don't define one for your pod.
Network Policies This is often a good problem to solve at the orchestration layer. Restrict egress traffic by default and whitelist exceptions
Leveraging Good Design Patterns
No New Privileges Introduced in Linux 3.5, uses the no_new_privs kernel flag
Read-Only Containers Prevents writing to the root filesystem Reduces an attacker's ability to modify files and/or elevate privileges
Building Policies How many of your Java developers understand SELinux?
Conclusion Container isolation goes beyond the runtimes themselves
Related Courses
Cloud Computing Applications, Part 1: Cloud Systems and InfrastructureUniversity of Illinois at Urbana-Champaign via Coursera Introduction to Cloud Infrastructure Technologies
Linux Foundation via edX Introduction aux conteneurs
Microsoft Virtual Academy via OpenClassrooms The Docker for DevOps course: From development to production
Udemy Windows Server 2016: Virtualization
Microsoft via edX